CVE-2017-7399

Cloudera Manager 5.8.x before 5.8.5, 5.9.x before 5.9.2, and 5.10.x before 5.10.1 allows a read-only Cloudera Manager user to discover the usernames of other users and elevate the privileges of those users.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name	Vendor	Start Version	End Version
Cloudera_manager	Cloudera	5.0.0 (including)	5.0.7 (including)
Cloudera_manager	Cloudera	5.1.0 (including)	5.1.6 (including)
Cloudera_manager	Cloudera	5.2.0 (including)	5.2.7 (including)
Cloudera_manager	Cloudera	5.3.0 (including)	5.3.10 (including)
Cloudera_manager	Cloudera	5.4.0 (including)	5.4.3 (including)
Cloudera_manager	Cloudera	5.4.5 (including)	5.4.10 (including)
Cloudera_manager	Cloudera	5.5.0 (including)	5.5.6 (including)
Cloudera_manager	Cloudera	5.6.0 (including)	5.6.1 (including)
Cloudera_manager	Cloudera	5.7.0 (including)	5.7.5 (including)
Cloudera_manager	Cloudera	5.8.0 (including)	5.8.3 (including)
Cloudera_manager	Cloudera	5.9.0 (including)	5.9.1 (including)
Cloudera_manager	Cloudera	5.10.0 (including)	5.10.0 (including)

Potential Mitigations

References

https://docs.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#concept_tvf_34r_1cb

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-7399
CWE	https://cwe.mitre.org/data/definitions/269.html

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References